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Abstract 

Self-stabilization is a versatile approach to fault-tolerance since it permits a distributed 
system to recover from any transient fault that arbitrarily corrupts the contents of all memories 
in the system. Byzantine tolerance is an attractive feature of distributed systems that permits 
to cope with arbitrary malicious behaviors. This paper focus on systems that are both self- 
stabilizing and Byzantine tolerant. 

Wc consider the well known problem of constructing a maximum metric tree in this context. 
Combining these two properties is known to induce many impossibility results. In this paper, we 
provide first two impossibility results about the construction of maximum metric tree in presence 
of transients and (permanent) Byzantine faults. Then, we provide a new self-stabilizing protocol 
that provides optimal containment of an arbitrary number of Byzantine faults. 

Keywords Byzantine fault. Distributed protocol, Fault tolerance. Stabilization, Spanning tree 
construction 

1 Introduction 

The advent of ubiquitous large-scale distributed systems advocates that tolerance to various kinds of 
faults and hazards must be included from the very early design of such systems. Self-stabilization [21 
[31 [16] is a versatile technique that permits forward recovery from any kind of transient faults, 
while Byzantine Fault-tolerance [12] is traditionally used to mask the effect of a limited number 
of malicious faults. Making distributed systems tolerant to both transient and malicious faults is 
appealing yet proved difficult [H [H [15] as impossibility results are expected in many cases. 

Related Works A promizing path towards multitolerance to both transient and Byzantine faults 
is Byzantine containment. For local tasks {i.e. tasks whose correctness can be checked locally, such 
as vertex coloring, link coloring, or dining philosophers), the notion of strict stabilization was 
proposed [TH [Mj . Strict stabilization guarantees that there exists a containment radius outside 
which the effect of permanent faults is masked, provided that the problem specification makes it 
possible to break the causality chain that is caused by the faults. As many problems are not local, it 
turns out that it is impossible to provide strict stabilization for those. To circumvent impossibility 
results, the weaker notion of strong stabilization was proposed [l3l[7]: here, correct nodes outside 
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the containment radius may be perturbated by the actions of Byzantine node, but only a finite 
number of times. 

Recently, the idea of generalizing strict and strong stabilization to an area that depends on the 
graph topology and the problem to be solved rather than an arbitrary fixed containment radius was 
proposed [5l [6] and denoted by topology aware strict (and strong) stabilization. When maximizable 
metric trees are considered, [5] proposed an optimal (with respect to impossibility results) protocol 
for topology- aware strict stabilization, and for the simpler case of breath-first-search metric trees, 
[6] presented a protocol that is optimal both with respect to strict and strong variants of topology- 
aware stabilization. The case of optimality for topology- aware strong stabilization in the general 
maximal metric case remains open. 

Our Contribution In this paper, we investigate the possibility of topology-aware strong stabi- 
lization for tasks that are global (i. e. for with there exists a causality chain of size r , where r depends 
on n the size of the network), and focus on the maximum metric tree problem. Our contribution 
in this paper is threefold. First, we provide two impossibility results for self-stabilizing maximum 
metric tree construction in presence of Byzantine faults. In more details, we characterize a specific 
class of maximizable metrics (which includes breath-first-search and shortest path metrics) that 
prevents the existence of strong stabilizing solutions and we generalize an impossibilty result of 
[6] that provides a lower bound on the containmemt area for topology-aware strong stabilization 
(Section [3]). Second, we provide a topology-aware strongly stabilizing protocol that matches this 
lower bound on the containment area (Section [4]). Finally, we provide a necessary and sufficient 
condition for the existence of a strongly stabilizing solution (Section [5|). 

2 Model, Definitions and Previous Results 
2.1 State Model 

A distributed system S = {V,L) consists of a set V = {vi,V2, ■ ■ ■ ,Vn} of processes and a set L 
of bidirectional communication links (simply called links). A link is an unordered pair of distinct 
processes. A distributed system S can be regarded as a graph whose vertex set is V and whose 
link set is L, so we use graph terminology to describe a distributed system S. We use the following 
notations: n = \V\, m = \L\ and d{u,v) denotes the distance between two processes u and v {i.e 
the length of the shortest path between u and v). 

Processes u and v are called neighbors if (n, v) € L. The set of neighbors of a process v is 
denoted by Ny. We do not assume existence of a unique identifier for each process. Instead we 
assume each process can distinguish its neighbors from each other by locally labeling them. 

In this paper, we consider distributed systems of arbitrary topology. We assume that a single 
process is distinguished as a root, and all the other processes are identical. We adopt the shared 
state model as a communication model in this paper, where each process can directly read the 
states of its neighbors. 

The variables that are maintained by processes denote process states. A process may take 
actions during the execution of the system. An action is simply a function that is executed in an 
atomic manner by the process. The action executed by each process is described by a finite set 
of guarded actions of the form (guard) — > (statement). Each guard of process « is a boolean 
expression involving the variables of u and its neighbors. 
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A global state of a distributed system is called a configuration and is specified by a product 
of states of all processes. We define C to be the set of all possible configurations of a distributed 
system S. For a process set R C V and two configurations p and p' , we denote p p' when p 
changes to p' by executing an action of each process in R simultaneously. Notice that p and p' 
can be different only in the states of processes in R. For completeness of execution semantics, we 
should clarify the configuration resulting from simultaneous actions of neighboring processes. The 
action of a process depends only on its state at p and the states of its neighbors at p, and the result 
of the action reflects on the state of the process at p' . 

We say that a process is enabled in a conflguration p if the guard of at least one of its actions 
is evaluated as true in p. 

A schedule of a distributed system is an infinite sequence of process sets. Let Q = R^, R^, . . . 
be a schedule, where R^ Q V holds for each i (i > 1). An infinite sequence of configurations 
e = po,pi, . . . is called an execution from an initial configuration po by a schedule Q, if e satisfies 

I— > Pi for each i (i > 1). Process actions are executed atomically, and we distinguish some 
properties on the scheduler (or daemon). A distributed daemon schedules the actions of processes 
such that any subset of processes can simultaneously execute their actions. We say that the daemon 
is central if it schedules action of only one process at any step. The set of all possible executions 
from pq £ C is denoted by Ep^. The set of all possible executions is denoted by E, that is, 
E = Upgc ^p- consider asynchronous distributed systems but we add the following assumption 
on schedules: any schedule is strongly fair (that is, it is impossible for any process to be infinitely 
often enabled without executing its action in an execution) and /c-bounded (that is, it is impossible 
for any process to execute more than k actions between two consecutive action executions of any 
other process). 

In this paper, we consider (permanent) Byzantine faults: a Byzantine process {i.e. a Byzantine- 
faulty process) can make arbitrary behavior independently from its actions. If is a Byzantine 
process, v can repeatedly change its variables arbitrarily. For a given execution, the number of 
faulty processes is arbitrary but we assume that the root process is never faulty. 

2.2 Self-Stabilizing Protocols Resilient to Byzantine Faults 

Problems considered in this paper are so-called static problems, i.e. they require the system to 
find static solutions. For example, the spanning-tree construction problem is a static problem, 
while the mutual exclusion problem is not. Some static problems can be defined by a specification 
predicate (shortly, specification), spec{v), for each process v: a configuration is a desired one (with 
a solution) if every process satisfies spec{v). A specification spec{v) is a boolean expression on 
variables of (C V) where Py is the set of processes whose variables appear in spec{v). The 
variables appearing in the specification are called output variables (shortly, 0-variables). In what 
follows, we consider a static problem defined by specification spec{v). 

A self- stabilizing protocol ([2]) is a protocol that eventually reaches a legitimate configuration, 
where speciv) holds at every process v, regardless of the initial configuration. Once it reaches a 
legitimate configuration, every process never changes its 0-variables and always satisfies spec{v). 
From this definition, a self-stabilizing protocol is expected to tolerate any number and any type 
of transient faults since it can eventually recover from any configuration affected by the transient 
faults. However, the recovery from any configuration is guaranteed only when every process cor- 
rectly executes its action from the configuration, i.e., we do not consider existence of permanently 
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faulty processes. 

When (permanent) Byzantine processes exist, Byzantine processes may not satisfy spec{v). In 
addition, correct processes near the Byzantine processes can be influenced and may be unable to 
satisfy spec{v). Nesterenko and Arora [E] define a strictly stabilizing protocol as a self-stabilizing 
protocol resilient to unbounded number of Byzantine processes. 

Given an integer c, a c- correct process is a process defined as follows. 

Definition 1 (c-correct process) A process is c-correct if it is correct (i.e. not Byzantine) and 
located at distance more than c from any Byzantine process. 

Definition 2 ((c, /)-containment) A configuration p is (c, /)-contained for specification spec if, 
given at most f Byzantine processes, in any execution starting from p, every c-correct process v 
always satisfies spec{v) and never changes its 0-variables. 

The parameter c of Definition [2] refers to the containment radius defined in [T5] . The parameter 
/ refers explicitly to the number of Byzantine processes, while [15] dealt with unbounded number 
of Byzantine faults (that is / G {0 . . . n}). 

Definition 3 ((c, /)-strict stabilization) A protocol is {c, f )-stnctly stahilizmg for specification 
spec if, given at most f Byzantine processes, any execution e = pQ, pi, . . . contains a configuration 
Pi that is (c, f)-contained for spec. 

An important limitation of the model of [15] is the notion of r-restrictive specifications. In- 
tuitively, a specification is r-restrictive if it prevents combinations of states that belong to two 
processes u and v that are at least r hops away. An important consequence related to Byzantine 
tolerance is that the containment radius of protocols solving those specifications is at least r. For 
some (global) problems r can not be bounded by a constant. In consequence, we can show that 
there exists no (c, l)-strictly stabilizing protocol for such a problem for any (finite) integer c. 

Strong stabilization To circumvent such impossibility results, [7] defines a weaker notion than 
the strict stabilization. Here, the requirement to the containment radius is relaxed, i.e. there may 
exist processes outside the containment radius that invalidate the specification predicate, due to 
Byzantine actions. However, the impact of Byzantine triggered action is limited in times: the set of 
Byzantine processes may only impact processes outside the containment radius a bounded number 
of times, even if Byzantine processes execute an infinite number of actions. 

In the following of this section, we recall the formal definition of strong stabilization adopted in 
[7]. From the states of c-correct processes, c-legitimate configurations and c-stahle configurations 
are defined as follows. 

Definition 4 (c-legitimate configuration) A configuration p is c-legitimate for spec if every 
c-correct process v satisfies spec{v). 

Definition 5 (c-stable configuration) A configuration p is c-stahle if every c-correct process 
never changes the values of its 0-variables as long as Byzantine processes make no action. 
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Roughly speaking, the aim of self-stabiUzation is to guarantee that a distributed system even- 
tuahy reaches a c-legitimate and c-stable configuration. However, a self-stabihzing system can be 
disturbed by Byzantine processes after reaching a c-legitimate and c-stable configuration. The 
c-disruption represents the period where c-correct processes are disturbed by Byzantine processes 
and is defined as follows 

Definition 6 (c-disruption) A portion of execution e = po, pi, . . . , pt (t > 1) is a c-disruption if 
and only if the following holds: 

1. e is finite, 

2. e contains at least one action of a c-correct process for changing the value of an 0-variable, 

3. Po is c-legitimate for spec and c-stable, and 

4- Pt is the first configuration after po such that pt is c-legitimate for spec and c-stable. 

Now we can define a self-stabilizing protocol such that Byzantine processes may only impact 
processes outside the containment radius a bounded number of times, even if Byzantine processes 
execute an infinite number of actions. 

Definition 7 ((t, A;, c, /)-time contained configuration) A configuration po is {t,k,c, f)-time 
contained for spec if given at most f Byzantine processes, the following properties are satisfied: 

1. po is c-legitimate for spec and c-stable, 

2. every execution starting from po contains a c-legitimate configuration for spec after which the 
values of all the 0-variables of c-correct processes remain unchanged (even when Byzantine 
processes make actions repeatedly and forever), 

3. every execution starting from po contains at most t c- disruptions, and 

4- every execution starting from po contains at most k actions of changing the values of O- 
variables for each c-correct process. 

Definition 8 ((t, c, /)-strongly stabilizing protocol) A protocol A is {t,c, f) -strongly stabiliz- 
ing if and only if starting from any arbitrary configuration, every execution involving at most f 
Byzantine processes contains a {t,k,c, f)-time contained configuration that is reached after at most 
I rounds. Parameters I and k are respectively the {t, c, f) -stabilization time and the {t,c, f) -process- 
disruption times of A. 

Note that a (t, k, c, /)-time contained configuration is a (c, /)-contained configuration when 
t = k = 0, and thus, (t, k, c, /)-time contained configuration is a generalization (relaxation) of 
a (c, /)-contained configuration. Thus, a strongly stabilizing protocol is weaker than a strictly 
stabilizing one (as processes outside the containment radius may take incorrect actions due to 
Byzantine infiuence). However, a strongly stabilizing protocol is stronger than a classical self- 
stabilizing one (that may never meet their specification in the presence of Byzantine processes) . 

The parameters t, k and c are introduced to quantify the strength of fault containment, we do 
not require each process to know the values of the parameters. 
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Topology-aware Byzantine resilience We saw previously that there exist a number of impos- 
sibility results on strict stabilization due to the notion of r-restrictive specifications. To circumvent 
this impossibility result, we describe here another weaker notion than the strict stabilization: the 
topology- aware strict stabilization (denoted by TA strict stabilization for short) introduced by [5]. 
Here, the requirement to the containment radius is relaxed, i.e. the set of processes which may 
be disturbed by Byzantine ones is not reduced to the union of c-neighborhood of Byzantine pro- 
cesses {i.e. the set of processes at distance at most c from a Byzantine process) but can be defined 
depending on the graph topology and Byzantine processes location. 

In the following, we give formal definition of this new kind of Byzantine containment. From 
now, B denotes the set of Byzantine processes and Sb (which is function of B) denotes a subset of 
V (intuitively, this set gathers all processes which may be disturbed by Byzantine processes). 

Definition 9 (Ss-correct node) A node is S's-correct if it is a correct node (i.e. not Byzantine) 
which not belongs to Sb. 

Definition 10 (S'^-legitimate configuration) A configuration p is ^s-legitimate for spec if ev- 
ery SB-correct node v is legitimate for spec (i.e. if spec{v) holds). 

Definition 11 ((6*5, /)-topology-aware containment) A configuration po is (S'b, /)-topology- 
aware contained for specification spec if, given at most f Byzantine processes, in any execution 
e = po,Pi, ■ ■ ■, every configuration is SB-legitimate and every SB-correct process never changes its 
0-variables. 

The parameter Sb of Definition 1111 refers to the containment area. Any process which belongs 
to this set may be infinitely disturbed by Byzantine processes. The parameter / refers explicitly 
to the number of Byzantine processes. 

Definition 12 ((S's, /)-topology-aware strict stabilization) A protocol is (5*^, /)-topology- 

aware strictly stabilizing for specification spec if, given at most f Byzantine processes, any execution 
e = po, pi, . . . contains a configuration pi that is {Sb, f) -topology-aware contained for spec. 

Note that, if B denotes the set of Byzantine processes and 5^ = <|u € V\min{d{v,b)) < cj^, 

then a (S's, /)-topology-aware strictly stabilizing protocol is a (c, /)-strictly stabilizing protocol. 
Then, the concept of topology-aware strict stabilization is a generalization of the strict stabilization. 
However, note that a TA strictly stabilizing protocol is stronger than a classical self-stabilizing 
protocol (that may never meet their specification in the presence of Byzantine processes). The 
parameter Sb is introduced to quantify the strength of fault containment, we do not require each 
process to know the actual definition of the set. 

Similarly to topology-aware strict stabilization, we can weaken the notion of strong stabilization 
using the notion of containment area. This idea was introduced by [6]. We recall in the following 
the formal definition of this concept. 

Definition 13 (S^-stable configuration) A configuration p is SB-stable if every SB-correct pro- 
cess never changes the values of its 0-variables as long as Byzantine processes make no action. 
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Definition 14 (S'^-TA-disruption) A portion of execution e = po, pi, . . . , pt (t > 1) is a Sb- 

T A- disruption if and only if the followings hold: 

1. e is finite, 

2. e contains at least one action of a SB-correct process for changing the value of an 0-variahle, 

3. Po Sb -legitimate for spec and Ss-stable, and 

4- Pt is the first configuration after po such that pt is Ss-legitimate for spec and SB-stable. 

Definition 15 ((t, A;, 5^, /)-TA time contained configuration) A configuration po is {t,k,SB, 
f)-TA time contained for spec if given at most f Byzantine processes, the following properties are 
satisfied: 

1. Po is Sb -legitimate for spec and SB-stable, 

2. every execution starting from pq contains a SB-legitimate configuration for spec after which 
the values of all the 0-variables of Sb- correct processes remain unchanged (even when Byzan- 
tine processes make actions repeatedly and forever), 

3. every execution starting from po contains at most t Sb-TA- disruptions, and 

4- every execution starting from po contains at most k actions of changing the values of O- 
variables for each SB-correct process. 

Definition 16 {{t, Sb, f)-TA. strongly stabilizing protocol) A protocol A is {t, Sb, f)-TA 
strongly stabilizing if and only if starting from any arbitrary configuration, every execution involv- 
ing at most f Byzantine processes contains a (t, k, Sb, f)-TA-time contained configuration that is 
reached after at most I rounds of each SB-correct node. Parameters I and k are respectively the 
(t, Sb, f) -stabilization time and the (t, Sb, f) -process-disruption time of A. 

2.3 Maximum Metric Tree Construction 

In this work, we deal with maximum (routing) metric trees as defined in |10j . Informally, the goal 
of a routing protocol is to construct a tree that simultaneously maximizes the metric values of all 
of the nodes with respect to some total ordering -<. In the following, we recall all definitions and 
notations introduced in [10]. 

Definition 17 (Routing metric) A routing metric (or just metric^ is a five-tuple {M,W,met,mr, 
-<) where: 

1. M is a set of metric values, 

2. W is a set of edge weights, 

3. met is a metric function whose domain is M xW and whose range is M , 

4. mr is the maximum metric value in M with respect to -< and is assigned to the root of the 
system. 
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5. -< is a less-than total order relation over M that satisfies the following three conditions for 
arbitrary metric values m, m' , and m" in M : 

(a) irreflexivity: m -/(m, 

(h) transitivity : if m ~< m' and m' -< m" then m -< m" , 
(c) totality: m ~< m' or m' ~< m or m = m' . 

Any metric value m & M \ {mr} satisfies the utility condition (that is, there exist wq, . . . , Wk-i in 
W and niQ = mr, mi, . . . , mk-i,mk = m in M such that Vi € {1, . . . , k}, mi = met{mi-.i,Wi^i) ). 

For instance, we provide the definition of four classical metrics with this model: the shortest 
path metric {SV), the flow metric (J-"), and the reliability metric {IZ). Note also that we can 
modelise the construction of a spanning tree with no particular constraints in this model using the 
metric MC described below and the construction of a BFS spanning tree using the shortest path 
metric {SV) with Wi = {1} (we denoted this metric by BFS in the following). 



SV = {Mi,Wi,meti,mri,<i) T 
where M\ = N where 
VKi = N 

meti {m,w) = m + w 
mri = 

^1 is the classical > relation 

7^ = {M3,W3,7net3,mr3,^3) MC 
where M3 = [0, 1] where 
W3 = [0, 1] 
met3{m, w) = m* w 
mr3 = 1 

^3 is the classical < relation 



(M2, W2,met2,mr2, ^2) 
mr2 G N 

M2 = {0,...,mr2} 
W2 = {0, . . . ,mr2} 
met2{m,w) = min{m,w} 
-<2 is the classical < relation 

(M4, W4,met4, mr^, ^4) 
M4 = {0} 
W4 = {0} 
meti{m, w) = 
mr4 = 

-<4 is the classical < relation 



Definition 18 (Assigned metric) An assigned metric over a system S is a six-tuple (M, W, met, 
mr, -<,wf) where {M,W,met,mr, -<) is a metric and wf is a function that assigns to each edge of 
S a weight in W . 

Let a rooted path (from v) be a simple path from a process v to the root r. The next set of 
definitions are with respect to an assigned metric {M,W,met,mr, -<,wf) over a given system S. 

Definition 19 (Metric of a rooted path) The metric of a rooted path in S is the prefix sum 
of met over the edge weights in the path and mr. 



For example, if a rooted path p in S is Vk, ■ ■ ■ ,V() with vq = r, then the metric of p is = 
met{mk-i,wf{{vk,Vk-i})) with Vi G {1, . . . , /c - 1}, mj = met{mi-i,wf{{vi,Vi-i}) and mo = mr. 

Definition 20 (Maximum metric path) A rooted path p from v in S is called a maximum 
metric path with respect to an assigned metric if and only if for every other rooted path q from v 
in S, the metric of p is greater than or equal to the metric of q with respect to the total order -<. 
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Definition 21 (Maximum metric of a node) The maximum metric of a node v ^ r (or simply 
metric value of v) in S is defined by the metric of a maximum metric path from v. The maximum 
metric of r is mr. 

Definition 22 (Maximum metric tree) A spanning tree T of S is a maximum metric tree with 
respect to an assigned metric over S if and only if every rooted path in T is a maximum metric 
path in S with respect to the assigned metric. 



The goal of the work of |10j is the study of metrics that always allow the construction of a 
maximum metric tree. More formally, the definition follows. 

Definition 23 (Maximizable metric) A metric is maximizable if and only if for any assign- 
ment of this metric over any system S, there is a maximum metric tree for S with respect to the 
assigned metric. 

Given a maximizable metric A4 = {M,W,mr,met, ~<), the aim of this work is to study the 
construction of a maximum metric tree with respect to A4 which spans the system in a self- 
stabilizing way in a system subject to permanent Byzantine faults (but we must assume that the 
root process is never a Byzantine one). It is obvious that these Byzantine processes may disturb 
some correct processes. It is why we relax the problem in the following way: we want to construct 
a maximum metric forest with respect to A4. The root of any tree of this forest must be either the 
real root or a Byzantine process. 

Each process v has three 0-variables: a pointer to its parent in its tree {prnt^ G N.^ U {-L}), 
a level which stores its current metric value {levels € M) and an integer which stores a distance 
(disty E N). Obviously, Byzantine process may disturb (at least) their neighbors. We use the 
following specification of the problem. 

We introduce new notations as follows. Given an assigned metric (M, W,met,mr, -<,wf) over 
the system S and two processes u and v, we denote by ^{u, v) the maximum metric of node u when 
V plays the role of the root of the system. If u and v are neighbors, we denote by Wu,v the weight 
of the edge {u,v} (that is, the value of wf{{u.,v})). 



Definition 24 (Al-path) Given an assigned metric M = {M,W,mr,met, ~<,wf) over a syst 
S, a path {vq, . . . ,Vk) (k > 1) of S is a Al-path if and only if: 

1. prntyg = _L, level^f^ = mr, dist^^ = 0, and vq & B U {r}, 

2. Vi G {1, . . . ,k},prnty- = Vi_i and levely- = met{levely._-^,Wy-^y._-^), 

3. Vi G {1, . . . ,k},met{levely._j^,Wy-^y.^-^) =max^{met{levelu,Wy.^u)}, 



em 



4- Vi G {1, . . . , k}, disty^ = legal-disty.^-^ withWu G Ny, legal_distu 
and 

5. levely^ = n{vk,vo). 



disty + 1 if levely = levely 
otherwise 
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We define the specification predicate spec{v) of the maximum metric tree construction with 
respect to a maximizable metric M as follows. 



2.4 Previous results 

In this section, we summarize known results about maximum metric tree construction. The first 
interesting result about maximizable metrics is due to [lOj that provides a fully characterization of 
maximizable metrics as follow. 

Definition 25 (Boundedness) A metric {M,W,met,mr,-<) is bounded if and only if: Vm € 
M,\/w G W,met(m,w) -< m or met{m,w) = m 

Definition 26 (Monotonicity) A metric {M,W,met,mr, ~<) is monotonic if and only if: V(m, 
m') € M'^,\/w GW,m^m'^ {met(m,w) -< met{m' ,w) or met{m,w) = met{m' ,w)) 

Theorem 1 (Characterization of maximizable metrics [lOj) A metric is maximizable if and 
only if this metric is hounded and monotonic. 

Secondly, [9] provides a self-stabilizing protocol to construct a maximum metric tree with respect 
to any maximizable metric. Now, we focus on self-stabilizating solutions resilient to Byzantine 
faults. Following discussion of Section 2, it is obvious that there exists no strictly stabilizing 
protocol for this problem. If we consider the weaker notion of topology-aware strict stabilization, 
[5] defines the best containment area as: 



Intuitively, Sb gathers correct processes that are closer (or at equal distance) from a Byzantine 
process than the root according to the metric. Moreover, [5] proves that the algorithm introduced 
for the maximum metric spanning tree construction in (9] performed this optimal containment area. 
More formally, [5] proves the following results. 

Theorem 2 ((5j) Given a maximizable metric A4 = {M,W,mr,met,~<), even under the central 
daemon, there exists no {A b,1)-TA- strictly stabilizing protocol for maximum metric spanning tree 
construction with respect to Ad where As ^ Sb- 

Theorem 3 ([5J) Given a maximizable metric Ai = {A-I,W,mr,met, ~<), the protocol of is a 
{SB^n — 1)-TA strictly stabilizing protocol for maximum metric spanning tree construction with 
respect to M.. 

Some other works try to circumvent the impossibility result of strict stabilization using the 
concept ot strong stabilization but do not provide results for any maximizable metric. Indeed, [7] 
proves the following result about spanning tree. 

Theorem 4 ([Tj) There exists a {t,0,n — l)- strongly stabilizing protocol for maximum metric span- 
ning tree construction with respect to AfC ( that is, for a spanning tree with no particular constraints ) 
with a finite t. 




prntj] = 1. and levels = mr, and distj] = if f is the root r 
there exists a Al-path (vq, . . . ,Vk) such that Vk = v otherwise 



Sb = {v eV\B \fi{v, r) < max^{ii{v, h),b e B]]\{r} 
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On the other hand, regarding BFS spanning tree construction, [6] proved the fohowing impos- 
sibihty result. 

Theorem 5 ([6]) Even under the central daemon, there exists no {t,c, l)-strongly stabilizing pro- 
tocol for maximum metric spanning tree construction with respect to BJ-S where t and c are two 
finite integers. 

Now, if we focus on topology-aware strong stabilization, [6] introduced the following containment 
area: S*^ = {v ^ V\min{d{v,h)) < d{r,v)}, and proved the following results. 

Theorem 6 ([6j) Even under the central daemon, there exists no {t,A*Q, 1)-TA strongly stabilizing 
protocol for maximum metric spanning tree construction with respect to BJ-S where A*^ ^ S*^ and 
t is a finite integer. 

Theorem 7 ([6J) The protocol of jlllf is a {t,S*Q,n — 1)-TA strongly stabilizing protocol for max- 
imum metric spanning tree construction with respect to BFS where t is a finite integer. 

The main motivation of this work is to fill the gap between results about TA strong and strong 
stabilization in the general case (that is, for any maximizable metric). Mainly, we define the best 
possible containment area for TA strong stabilization, we propose a protocol that provides this 
containment area and we characterize the set of metrics that allow strong stabilization. 

3 Impossibility Results 

In this section, we provide our impossibility results about containment radius (respectively area) 
of any strongly stabilizing (respectively TA strongly stabilizing) protocol for the maximum metric 
tree construction. 

3.1 Strong Stabilization 

We introduce here some new definitions to characterize some important properties of maximizable 
metrics that are used in the following. 

Definition 27 (Strictly decreasing metric) A metric A4 = {M,W,mr,met, ~<) is strictly de- 
creasing if, for any metric value m S M , the following property holds: either Mw € met{m, w) -< 
m or Mw € met{m, w) = m. 

Definition 28 (Fixed point) A metric value m is a fixed point of a metric M = (M, W, mr, met, -< 
) if m & M and if for any value w € W, we have: met{m,w) = m. 

Then, we define a specific class of maximizable metrics and we prove that it is impossible to 
construct a maximum metric tree in a strongly-stabilizing way if we do not consider such a metric. 

Definition 29 (Strongly maximizable metric) A maximizable metric Ai = (M, W, mr, met, ~< 
) is strongly maximizable if and only if \M\ = 1 or if the following properties holds: 

• |M| > 2, 
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• A4 is strictly decreasing, and 

• M has one and only one fixed point. 

Note that J\fC is a strongly maximizable metric (since IM4I = 1) whereas BJ-S or SV are not 
(since the first one has no fixed point, the second is not strictly decreasing). If we consider the 
metric MET defined below, we can show that MET is a strongly maximizable metric such that 



Now, we can state our first impossibihty result. 

Theorem 8 Given a maximizable metric A4 = {M,W,mr,met, even under the central dae- 
mon, there exists no {t, c, I) -strongly stabilizing protocol for maximum metric spanning tree con- 
struction with respect to A4 for any finite integer t if: 



Proof We prove this result by contradiction. We assume that Ai = {M, W, mr, met, -<) is a 
maximizable metric such that there exist a finite integer t and a protocol V that is a (t, c, 1)- 
strongly stabilizing protocol for maximum metric spanning tree construction with respect to A4. 
We distinguish the following cases (note that they are exhaustive): 

Case 1: is a strongly maximizing metric and c < \M\ — 2. 

As c > 0, we know that \M\ > 2 and by definition of a strongly stabilizing metric, A4 is 
strictly decreasing and has one and only one fixed point. 

By assumption on , we know that there exist c + 3 distinct metric values mo = mr, mi , . . . , 
mc+2 in M and ujq, wi, . . . , Wc+i in W such that: Vi € {1, . . . , c + 2}, m^ = met{mi-i,Wi-i) -< 

m-i- 

Let S = {V,E,W) be the following weighted system V = {po = r,pi, . . . ,P2c+2,P2c+3 = b}, 
E = {{pi,Pi+i},i € {0, ...,2c + 2}} andVi € {0, c + 1}, -ujp^p^^, = 'f^P2c+3-»,P2c+2-, = "^^i- Note 
that the choice Wp^_^_j^^p^_^_2 = Wc+i ensures us the following property when levelr = levelb = 
mr: ii{pc+i,b) ^ ^{pc+i,r) (and by symmetry, ij,{pc+2,r) ^ fi{pc+2,b)). Process po is the 
real root and process 6 is a Byzantine one. Note that the construction of W ensures the 
following properties when levelr = levelb = mr: Vi G {1, . . . , c + 1}, fi{pi,r) = /x(p2c+3-ij b), 
H{pi,b) -< n{pi,r) and fj,{p2c+3-i,r) -< n{p2c+3~i,b). 

Assume that the initial configuration pQ of S satisfies: prntr = prntb = -L, levelr = levelb = 
mr, and other variables of b (in particular dist) are identical to those of r (see Figure [H 
variables of other processes may be arbitrary). Assume now that b takes exactly the same 



Ml > 2. 



where 



(M5, W5, met5, mr5, ^5) 
M5 = {0,1,2,3} 
= {1} 

met^{m, w) = max{Q, m — w} 
mr^ = 3 

-<5 is the classical < relation 
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PO=r Pl ■■■ Pc Pc+l Pc+2 Pc+3 ■ ■ ■ P2C+2 P2c+3 = b 

U!0 Wc Wc+1 Wc Wq 










mr ? ? ? ? ? ? mr 



Pl 










KPi^r) ^{pc+i,r) ^i{pc+3,r) p{Pb,r) 



P2 










p{Pc,r) fi{pc+2,r) n{p2c+2,r) 

p{Pi,r) ^i{pc+i,r) fi{pc+3,r) mr 



P3 










mr p{Pc,r) iJ,{pc+2,r) p{p2c+2, 



Figure 1: Configurations used in proof of Theorem [HI case 1. 

actions as r (if any) immediately after r. Then, by symmetry of the execution and by 
convergence of V to spec, we can deduce that the system reaches in a finite time a configuration 
Pl (see Figured]) in which: Vi € {1, . . . , c + l},prntp. = levelp^ = n{pi,r) = rrii, distp^ = 
legaLdistprntp^ and Vi € {c + 2, . . . , 2c + 2},prntp. = pj+i, levelp^ = iJ.{pi, b) = m2c+3-i, and 
distp^ = legal -distprntp. (because this configuration is the only one in which all correct process 
V satisfies spec{v) when prntr = prnti, = ± and levelr = levelb = mr by construction of W). 
Note that pi is c-legitimate and c-stable. 

Assume now that the Byzantine process acts as a correct process and executes correctly 
its algorithm. Then, by convergence of V in fault-free systems (remember that a strongly- 
stabilizing algorithm is a special case of self-stabilizing algorithm), we can deduce that the 
system reach in a finite time a configuration p2 (see Figure [I]) in which: Vi G {1, . . . , 2c + 
3},prntp^ = pi-i, levelp^ = p{pi,r), and distp^ = legaLdistpmtp^ (because this configuration 
is the only one in which all process v satisfies spec{v)). Note that the portion of execution 
between pi and p2 contains at least one c-perturbation {pc+2 is a c-correct process and modifies 
at least once its 0-variables) and that p2 is c-legitimate and c-stable. 
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Vo = 'r Pi ■■■ Pk-i Pk Pk+i Pk+2 ■■■ Pc Pc+i 



Si 




P2c+3 = b P2c+2 ■ ■ ■ P2c+i~k P2c+3-k P2c+2-k P2c+l-k ■ ■ ■ Pc+3 Pc+2 



PO = r pi ... Pk-1 Pk Pk+l Pk+2 ■■■ Pc Pc+l 




P2c+3 = b P2c+2 • • • P2c+A~k' P2c+3-k' P2c+2~k' P2c+l-k' ■ ■ ■ Pc+3 Pc+2 



Figure 2: Configurations used in proof of Theorem [8l cases 2 and 3. 

Assume now that the Byzantine process b takes the fohowing state: prntf, = -L and levelh = 
mr. This step brings the system into configuration /J3 (see Figured]). From this configuration, 
we can repeat the execution we constructed from po- By the same token, we obtain an 
execution olV which contains c- legitimate and c-stable configurations (see pi) and an infinite 
number of c-perturbation which contradicts the (t, c, l)-strong stabihzation of V. 

ase 2: M \s not strictly decreasing. 

By definition, we know that M is not a strongly maximizable metric. Hence, we have \M\ > 2. 
Then, the definition of a strictly decreasing metric implies that there exists a metric value 
m G M such that: 3w G W, met{m,w) = m and 3w' E:W,m' = met{m,w') -< m (and thus 
m is not a fixed point of M). By the utility condition on M, we know that there exists a 
sequence of metric values mo = mr, mi, ... ,mi = m in M and wq, wi, . . . , wi-i in W such 
that Vi G {l,...,/},mj = met{mi-i,Wi-i). Denote by k the length of the shortest such 
sequence. Note that this implies that Vi G {1, . . . ,/c},mj -< rrii^i (otherwise we can remove 
rrii from the sequence and this is contradictory with the construction of k). We distinguish 
the following cases: 

Case 2.1: k>c + 2. 

We can use the same token 1 above by using w' instead of Wc+i in the case where 

fc = c + 2 (since we know that met^m, w') ~< m). 

Case 2.2: k <c + 2. 

Let Si = iy, E, W) be the following weighted system V = {po = r,pi, . . . ,p2c+2,P2c+3 = 
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b}, E = {{pi,pi^i},i G {0, ...,2c + 2}}, \/i G {0, . . . , /c - 1}, = w^p2,+3_„p2,+2-> = 

Wi, Vi G {A:, ...,c},w;p,,p,_^, = 'u^p2c+3-i,P2c+2-« = ""^ and u;p,+i,p,+2 = w' (see Figure E]). 
Note that this choice ensures us the following property when levelr = levels = mr: 
li{pc+i,b) -< iJ.{pc+i,r) (and by symmetry, ij,{pc+2,r) -< fi{pc+2,b)). Process po is the 
real root and process 6 is a Byzantine one. Note that the construction of W ensures 
the following properties when levelr = levelb = mr: Mi G {!,..., c+ l},/i(pj,r) = 
^i.{p2c+z-i,b), n{pi,b) -< n{pi,r) and fi{p2c+3~i,r) -< fj.{p2c+3-i,b). 
This construction allows us to follow the same proof as in case 1 above. 



Case 3: A4 has no or more than two fixed point, and is strictly decreasing. 

If has no fixed point and is strictly decreasing, then \M\ is not finite and then, we can 
apply the result of case 1 above since c is a finite integer. 

If A4 has two or more fixed points and is strictly decreasing, denote by T and T' two fixed 
points of M. Without loss of generality, assume that T ^ T'. By the utility condition on 
M, we know that there exists sequences of metric values tuq = mr, mi , . . . ,mi = T and 
ttiq = mr,m'i, . . . ,m'i, = T' in M and wqjWi, . . . ,wi-i and w'q,w[, . . . ,Wi,_-^ in W such 
that Vi G {I, ... ,1}, mi = met{mi-i,Wi-i) and Mi G {1, . . . , Z'}, m- = met{m[_^,w[_i). 
Denote by k and k' the length of shortest such sequences. Note that this implies that 
Vi G {1, . . . , A;}, mi -< m^^i and \/i G {1, . . . , A;'}, m'- -< m'-_-^ (otherwise we can remove rn-j or 
m- from the corresponding sequence). We distinguish the following cases: 

Case 3.1: > c + 2 or A' > c + 2. 



Without loss of generality, assume that A; > c + 2 (the second case is similar) . We can 
use the same token as case 1 above. 



Case 3.2: A; < c + 2 and A;' < c + 2. 

Let w be an arbitrary value of W. Let 5*2 = {V, E, W) be the following weighted 
system V = {po = . . . ,p2c+2,P2c+3 = b}, E = {{pi,pi+i},i G {0, . . . , 2c + 2}}, 
Vi G {0, A; - 1}, Wp^^p^^^ = Wi, Mi G {0, k' - 1}, i«p2c+3->,P2c+2-> = '^'i and Mi G {A, 2c + 2 - 
^'}) ""^Pi.Pi+i = ^ (s^e Figure [2|). Note that this choice ensures us the following property 
when levelr = levelb = mr: fi{pc+i,r) = T -< T' = n{pc+i,b) and iJ,{pc+2,r) = T ^ 
T' = fi{pc-\-2, b). Process pq is the real root and process 6 is a Byzantine one. 
This construction allows us to follow a similar proof as in case 1 above (note that any 
process u which satisfies fj,{u, r) -< T' will be disturb infinitely often, in particular at 
least Pc+i and Pc+2 which contradicts the (i, c, l)-strong stabilization of V). 

In any case, we show that there exists a system which contradicts the {t, c, l)-strong stabilization 
of V that ends the proof. □ 

3.2 Topology Aware Strong Stabilization 

First, we generalize the set previously defined for the BTS metric in [6] to any maximizable 
metric A4 = (M, W, mr, met, ~<). 




V £ V \ B ix{v, r) -< max^{fi{v, b)} 
beB 
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mr=0 mr=0 




levelb = levelb = 



Figure 3: Examples of containment areas for SV. 

Intuitively, gathers the set of corrects processes that are strictly closer (according to A4) 
to a Byzantine process than the root. Figures from [3] to [5] provide some examples of containment 
areas with respect to several maximizable metrics and compare it to Sb, the optimal containment 
area for TA strict stabilization. 

Note that we assume for the sake of clarity that V \ induces a connected subsystem. If it 
is not the case, then S'g is extended to include all processes belonging to connected subsystems of 
y \ 5^ that not include r. 

Now, we can state our generalization of Theorem [6j 

Theorem 9 Given a maximizable metric A4 = {M,W,mr,met, ~<), even under the central dae- 
mon, there exists no (t, A*^,1)-TA- strongly stabilizing protocol for maximum metric spanning tree 
construction with respect to Ad where A*^ ^ S*^ and t is a given finite integer. 

Proof Let M. = {M,W,mr,met, ~<) be a maximizable metric and 7^ be a (t, l)-TA-strongly 
stabilizing protocol for maximum metric spanning tree construction protocol with respect to A4 
where A*^ ^ S"^ and t is a finite integer. We must distinguish the following cases: 

Case 1: |M| = 1. 

Denote by m the metric value such that M = {m}. For any system and for any process v, we 
have n{v,r) = min^{n{v,b)} = m. Consequently, S^j = for any system. Then, it is absurd 

to have A*^ ^ S^. 
Case 2: |M| > 2. 

By definition of a bounded metric, we can deduce that there exists m G M and w £ W such 
that m = met{mr,w) -< mr. Then, we must distinguish the following cases: 
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mr=10 



mr=10 




levelb = 10 levelb = 10 



Figure 4: Examples of containment areas for J^. 

Case 2.1: m is a fixed point of Ai. 

Let S* be a system such that any edge incident to the root or a Byzantine process has a 
weight equals to w. Then, we can deduce that we have: m = max^{fi{r, b)} -< fi{r, r) = 

mr and for any correct process v ^ fj,(v,r) = max^{fi{v,b)} = m. Hence, = for 

heB 

any such system. Then, it is absurd to have A*^ <^ S*^. 

Case 2.2: m is not a fixed point of M. 

This implies that there exists w' ^ W such that: met^m, w') -< m (remember that M 
is bounded). Consider the following system: V = {r,u,u' ,v,v' ,b}, E = {{r, u}, {r, u'}, 
{u,v},{u' ,v'],{v,b],{v' ,b}], = Wr,u' = Wv,b = Wv' ,b = w, and Wu,v = Wu'y = w' 
{b is a Byzantine process). We can see that S]^ = {v,v'}. Since A*^ ^ Sb, we have: 
V ^ A*Q or v' ^ A*^. Consider now the following configuration pq: prntr = prntb = -L, 
levelr = levelb = mr, distr = distb = and prnt, level, and dist variables of other 
processes are arbitrary (see Figure [U other variables may have arbitrary values but 
other variables of b are identical to those of r). 

Assume now that b takes exactly the same actions as r (if any) immediately after r 
(note that r ^ A*^ and hence prntr = -L, levelr = mr, and distr = still hold by closure 
and then prntb = -L, levelb = mr, and distr = still hold too). Then, by symmetry 
of the execution and by convergence of V to spec, we can deduce that the system 
reaches in a finite time a configuration pi (see Figure [6]) in which: prntr = prntb = -L, 
prntu = prntu' = r, prnt^, = prnt^i = b, levelr = levelb = mr, levelu = levelu' = 
levelij = levelyi = m, and Mv € V, dist^ = legal -distpmu (because this configuration is 
the only one in which all correct process v satisfies spec{v) when prntr = prntb = -L and 
levelr = levelb = mr since met{m,w') -< m). Note that pi is ^^-legitimate for spec and 
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levelh = 1 levelb = 1 



Figure 5: Examples of containment areas for TZ. 
yl^-stable (whatever A*^ is). 

Assume now that b behaves as a correct processor with respect to V. Then, by con- 
vergence of V in a fault-free system starting from pi which is not legitimate (remember 
that a TA-strongly stabilizing algorithm is a special case of self-stabilizing algorithm), 
we can deduce that the system reach in a finite time a configuration p2 (see Figure [6]) 
in which: prntr = -L, prntu = prntu' = r, prnt^ = u, prnt^i = u', prnt^ = v (or 
prnth = v'), levelr = mr, levelu = levelu' = rn levels = level^i = met{m,w') = m', 
levelb = met{m',w) = m", and Vf G V,distv = legaLdistpmu- Note that processes v 
and v' modify their 0-variables in the portion of execution between pi and p2 and that 
P2 is ^^-legitimate for spec and ^^-stable (whatever is). Consequently, this portion 
of execution contains at least one A^-TA-disruption (whatever A*^ is). 
Assume now that the Byzantine process b takes the following state: prnth = -L and 
levelh = mr. This step brings the system into configuration p^ (see Figure E]). From this 
configuration, we can repeat the execution we constructed from pQ. By the same token, 
we obtain an execution of V which contains c-legitimate and c-stable configurations (see 
pi) and an infinite number of yl^-TA-disruption (whatever A*^ is) which contradicts the 
(t, A*^, l)-TA-strong stabihzation of V. 

□ 

4 Topology- Aware Strongly Stabilizing Protocol 

The goal of this section is to provide a {t,S*Q^n — 1)-TA strongly stabilizing protocol in order to 
match the lower bound on containment area provided by the Theorem[9l If we focus on the protocol 
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Figure 6: Configurations used in proof of Theorem [9l 

provided by [5] (which is {SB,n — 1)-TA strictly stabiUzing), we can prove that this protocol does 
not satisfy our constraints since we have the following result. 

Theorem 10 Given a maximizable metric A4 = {Ad,W,mr,met,~<), the protocol of is not 
a (t, S'^,2)-TA strongly stabilizing protocol for maximum metric spanning tree construction with 
respect to M where t is a given finite integer. 

Proof To prove this result, it is sufficient to construct an execution of the protocol of [5] for a given 
metric A4 which contains an infinite number of S'^-TA disruptions with two Byzantine processes. 

Consider the shortest path metric SV defined above and the weighted system defined by Figure 
[7] (r denotes the root and bi and 62 are two Byzantine processes) . We recall that the protocol of [5] 
uses an upper bound D on the length of any path of the tree and that the protocol is built in such 
a way that a process cannot choose as parent a neighbor with a dist variable greater or equals to 
D — 1. Here, we assume that D = 10. 

If we consider the initial configuration pi defined by Figure [HI we can state that processes 
P2 and p3 cannot modify their state as long as bi remains in its state. Moreover, r and pi are 
never enabled by the protocol. In this way, it is possible to construct the following portion of 
execution ei: 62 modifies its level variable to 1. Then, p^ and p4 update their level variable to 
obtain configuration p2 of Figure \8\ Note that ei contains a S'^-TA disruption since p^ modified 
one of its 0-variables (namely, level) and p^ ^ S*^. From p2i it is possible to construct the following 
portion of execution 62: 62 modifies its level variable to 0. Then, p^ and p^ update their level 
variable to obtain configuration pi. 
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Figure 7: System used in proof of Theorem [TOl 




3/3 2/2 1/0 

Figure 8: Configurations used in proof of Theorem [10] (for each process f , we use the notation 
levely I disty). 
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Consequently, it is possible to construct an infinite execution 61626162 • • • starting from pi that 
contains an infinite number of S'^-TA disruptions with two Byzantine processes. This finishes the 
proof. 

□ 

4.1 Presentation of the Protocol 

In contrast of Theorem [TOl we provide in this paper a new protocol which is {t, S'|j, n— 1)-TA strongly 
stabilizing for maximum metric spanning tree construction. Our protocol needs a supplementary 
assumption on the system. We introduce the following definition. 

Definition 30 (Set of used metric values) Given an assigned metric AM = (M, W, met, mr, ^ 
,wf) over a system S, the set of used metric values of AM is defined as M[S) = {m € M|3i) G 
V, {fi{v, r) = m)y (36 € fi{v, h) = m)}. 

We assume that we always have |M(5)| > 2 (the necessity of this assumption is explained below). 
Nevertheless, note that the contrary case (|M(S')| = 1) is possible if and only if the assigned metric 
is equivalent to MC. As the protocol of [7] performs (t, 0, n — 1)- strong stabilization with a finite t 
for this metric, we can achieves the [t^S'^^n — 1)-TA strong stabilization when |M(S')| = 1 (since 
this implies that S*^ = 0). In this way, this assumption does not weaken the possibility result. 

Although the protocol of [5] is not TA strongly stabilizing (see Theorem [T0|) . our protocol 
borrows fundamental strategy from it. In this protocol, any process try to maximize its level in the 
tree by choosing as its parent the neighbor that provide the best metric value. The key idea of this 
protocol is to use the distance variable (upper bounded by a given constant D) to detect and break 
cycles of process which has the same maximum metric. To achieve the TA strict stabilization, the 
protocol ensures a fair selection along the set of its neighbor with a round-robin order. 

The possibility of infinite number of disruptions of the protocol of [5] mainly comes from the 
following fact: a Byzantine process can independently lie about its level and its dist variable. For 
example, a Byzantine process can provide a level equals to mr and a dist arbitrarily large. In this 
way, it may lead a correct process of 5^ \ S*^ to have a dist variable equals to D — 1 such that 
no other correct process can choose it as its parent (this rule is necessary to break cycle) but it 
cannot modify its state (this rule is only enabled when dist is equals to D). Then, this process 
may always prevent some of its neighbors to join a A^-path connected to the root and hence allow 
another Byzantine process to perform an infinite number of disruptions. 

It is why we modified the management of the dist variable (note that others variables are 
managed exactly in the same way as in the protocol of [5^). In order to contain the effect of 
Byzantine process on dist variables, each process that has a level different from the one of its 
parent in the tree sets its dist variable to 0. In this way, a Byzantine process modifying its dist 
variable can only affect correct process that have the same level. Consequently, in the case where 
|Af(5')| > 2, we are ensured that correct processes of Sb \ S*^ cannot keep a dist variable equals 
or greater than D — 1 infinitely. Hence, a correct process of Sb \ S*^ cannot be disturbed infinitely 
often without joining a A^-path connected to the root. 

We can see that the assumption |M(5)j > 2 is essential to perform the topology- aware strong 
stabilization. Indeed, in the case where |Af(S')| = 1, Byzantine processes can play exactly the 
scenario described above (in this case, our protocol is equivalent to the one of [5]). 
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The second modification we bring to the protocol of [5] follows. When a process has an incon- 
sistent dist variable with its parent, we allow it only to increase its dist variable. If the process 
needs to decrease its dist variable (when it has a strictly greater distance than its parent), then the 
process must change its parent. This rule allows us to bound the maximal number of steps of any 
process between two modifications of its parent (a Byzantine process cannot lead a correct one to 
infinitely often increase and decrease its distance without modifying its pointer). 

Our protocol is formally described in Algorithm 14.11 

algorithm 4.1 SSA4AX , TA strongly stabilizing protocol for maximum metric tree construction. 

Data: 

Nv. totally ordered set of neighbors of v. 

D: upper bound of the number of processes in a simple path. 
Variables: 

\{l.}ilv = r 

prntv G < : pointer on the parent of v in the tree. 

I Ny if D 7^ r 

levely S {m S M\m mr}: metric of the node. 

disty £ {0, . . . , D}: hop counter. 

Functions: 

For any subset A C A'^„ , choosey (A) returns the first element of A which is bigger than prnty (in a round-robin fashion) . 

J- J- -I /\ f if levelprnt^ ^ levely 
currentMistyi) = < • /j- j- , i n\ -r / / i i 

" 1^ mm(dtstprnt^ + 1, JJ) II levelprnt^ = levely 

Rules: 

(Rr) {v = r) A {{levely ^ mr) V {disty ^ 0)) — > levely := mr; disty := 

(iii) :: (ti 5^ r) A {prnty g Ny) A {{disty < currentjdistyQ) V {levely ^ met{levelprnt^ ,Wy^prnt^))) 
— > levely := met{levelprnt^ ,Wy^prnt^)\ disty := currentjlisty{) 

{R-i) ■■■■ {v ji r) A {{disty = _D) V {disty > current Jiisty{))) A {3u e Ny, disty < D — 1) 

— > prnty := choosey{{u S Ny\disty < D — 1}); levely := met{levelprnt^ ,v]y^prnt^)', disty := current jiisty{) 

{Rs) ■■■■ {v 7^ r) A {3u e Ny, {disty < D — 1) A {levely -< met{levelu,Wu,y))) 



■prnty := choosey I < u (H NyUlevely < D~l)A{raet{levelu,Wu,y) = max^ {met{levelq,Wq,y)}) 

\y ' qeN„/leyel^<D-l 

levely := met{levelprrLt^ ,u}prnt^,y)\ disty := current jdisty{) 



4.2 Proof of the (5*5, n— 1)-TA Strict Stabilization for spec 

This proof is similar to the one of [5] but we must modify it to take in account modifications of the 
protocol. In [5], we proved the following useful property about maximizable metrics. 

Lemma 1 For any process v (zV , we have: 

Vu E N.v,met max^ {^{u,p)},Wu^i, ^ max^ {iJ.{v,p)} 

\p&BU{r} ' J peBU{r} 

Given a configuration p ^ C and a metric value m E M, let us define the following predicate: 
IMm{p) = Vi) E VJevely ^ max^ < m, max^ {fi{v,u)} > 

I u£BU{r} I 
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Lemma 2 For any metric value m G M, the predicate IM^ is closed by actions of SSA4AX . 

Proof Let m be a metric value (m G M). Let p G C be a configuration such that IMm{p) = true 
and p' G C be a configuration such that p p' is a step of SSMAX . 

If the root process r £ R (respectively a Byzantine process b £ R), then we have levelj. = mr 
(respectively levelb ^ mr) in p' by construction of {Rr) (respectively by definition of levelb)- Hence, 

levelr ^ max^ < m, max^ {p{r,u)} > = mr (respectively /efe/;, ^ max^ < m, max^ {p{b,u)} > = 

[ «e_BU{r} J [ ugBU{r} J 

mr). 

If a correct process v £ R with v ^ r, then there exists a neighbor p of f such that levelp ■< 

max^ < 771, max^ {p{p,u)} / in p (since IMm{p) = true) and prnty = p and levely = met{levelp, 
[ ueBU{r} J 

tf;^^p) in p' (since v is activated during this step). 

If we apply the Lemma [1] to met and to neighbor p, we obtain the following property: 



met max^ {p{p,u)},Wv^p ^ max^ {p{v,u)} 

\u&BU{r} ' J ueBU{r} 



Consequently, we obtain that, in p': 

levelv = met{levelp,Wv,p) 

:< met max^ < m, max^ {p{p,u)} > ,Wyp\ 

\ [ ueBU{r} J ' / 

^ max^ < met{m,Wv^p),met max^ {p{p,u)},Wv^p 
I ' \ MG_BU{r} ' ^ 

^ max^ < m, max^ {p{v,u)} > 

I ueBU{r} J 



by monotonicity of Ai 



since met{m, w^^p) ^ m 



We can deduce that IMm{p') = true, that concludes the proof. □ 
Given an assigned metric to a system G, we can observe that the set of metrics value M is 

finite and that we can label elements of M by mo = mr, mi,...,mfc in a way such that Vi G 

{0, . . . , A: - l},mi+i -< mi. 

We introduce the following notations: 



Vmj G M, Pm 
ymi G M, 
Vmj G M, 



{u G y \ SbIpIv, r) = mi] 
j=0 



G V\ max^ {p{v,u)} -< m,,} 

wGBU{r} 

VmiGM, rC^, = {peC\iyv eVm^,speciv)) A{IM^^{p))} 

CC = CCr. 



Lemma 3 For any mi G M, the set CCrm is closed by actions of SSM.AX . 
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Proof Let rrii be a metric value from M and p be a configuration of CCm-. By construction, any 
process v G satisfies spec{v) in p. 

In particular, the root process satisfies: prntr = -L, levelr = mr, and distr = 0. By construction 
of SSA4AX, r is not enabled and then never modifies its 0-variables (since the guard of the rule 
of r does not involve the state of its neighbors) . 

In the same way, any process v € Hn. satisfies: prnty E Ny, levely = met{levelprntv ^ ujprnu,v), 
disty = legaLdistprnty, and level y — Tn(ix^\^Tnet(^levelu, Wy y )}. Note that, as v G V^. and spec{v) 

holds in p, we have: levely = p{v,r) = max^ {f^i^iP)} and disty < D — 1 hy construction of D. 

peBU{r} 

Hence, process v is not enabled in p. 

Assume that there exists a process v € 14n. that takes a step p' i— >■ p" in an execution starting 
from p (without loss of generality, assume that v is the first process of € Vrm that takes a step in 
this execution). Then, we know that v ^ r. This activation implies that a neighbor u ^ Vrm (since 
v is the first process of Vrm take a step) of v modified its levelu variable to a metric value m G M 
such that levely -< met{m, Wu,v) in p' (note that 0-variables of v and prnty remain consistent since 
V is the first process to take a step in this execution). 

Hence, we have levely = max^ {m(^)J')} = l^{v,r) (since spec{v) holds), levely -< met{m,Wu,y) 

peBU{r} 

(since u causes an action of v), and rui ^ levely (since v G Vrm levely = p{v,r)). Moreover, the 
closure oi IMrm (established in Lemma[2|) ensures us that m = levelu ^ max^ < irii, max^ {p{u,p)} > . 

[ peBU{r} J 

Let us study the two following cases: 

Case 1: max^ < rrii, max^ {p{u,p)} > = rrii. 

\ peBU{r} J 

We have then m ^ mj. As the boundedness of Ai ensures that met{m,Wu,y) ^ tu, we can 
conclude that levely -< met{m,Wu^y) ^ m ^ ^ levely, that is absurd. 

Case 2: max^ < rrii, max^ {p{u,p)} > = max^ {p{u,p)}. 

y pgBU{r} J p£Byj{r} 

We have then m ^ max^ {p{u,p)}. By monotonicity oi Ai, we can deduce that met{m, Wu,y) ^ 

peBU{r} 

met{ max^ {p{u,p)},Wu,y)- Consequently, we obtain that max^ {l^i^iP)} ^ met{ max^ {p{u,p)},Wu,; 

pG-BU{r} p£BU{r} pGBU{r} 

This is contradictory with the result of Lemma [TJ 

In conclusion, any process v S Vrm takes no step in any execution starting from p and then 
always satisfies spec{v). Then, the closure of 1Mb (established in Lemma [2]) concludes the proof. 

□ 

Lemma 4 Any configuration of CC is {SB,n — 1)-TA contained for spec. 

Proof This is a direct application of the Lemma [3] to CC = CCmf, ■ D 

Lemma 5 Starting from any configuration of C, any execution of reaches in a finite 

time a configuration of CCmr- 
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Proof Let p be an arbitrary configuration. Then, it is obvious that IMmr{p) is satisfied. By closure 
of IMmr (proved in Lemma[2]), we know that IMmr remains satisfied in any execution starting from 
P- 

If r does not satisfy spec{r) in p, then r is continuously enabled. Since the scheduling is strongly 
fair, r is activated in a finite time and then r satisfies spec{r) in a finite time. Denote by p' the first 
configuration in which spec{r) holds. Note that r takes no step in any execution starting from p'. 

The boundedness of A4 implies that Pmr induces a connected subsystem. If P^r = {r}, then 
we proved that p' € CCmr and we have the result. 

Otherwise, observe that, for any configuration of an execution starting from p' , if all processes 
of Pmr are not enabled, then all processes v of Pmr satisfy spec{v). Assume now that there exists 
an execution e starting from p' in which some processes of Pmr take infinitely many steps. By 
construction, at least one of these processes (note it v) has a neighbor u which takes only a finite 
number of steps in e (recall that Pmr induces a connected subsystem and that r takes no step in 
e). After u takes its last step of e, we can observe that levelu = mr and distu < D — 1 (otherwise, 
u is activated in a finite time that contradicts its construction). 

As V can execute consequently (Ri) only a finite number of times (since the incrementation of 
disty is bounded by D), we can deduce that v executes (-R2) or (-R3) infinitely often. In both cases, 
u belongs to the set which is the parameter of function choose. By the fairness of this function, we 
can deduce that prnty = u in a finite time in e. Then, the construction of u implies that v is never 
enabled in the sequel of e. This is contradictory with the construction of e. 

Consequently, any execution starting from p' reaches in a finite time a configuration such that 
all processes of Pmr are not enabled. We can deduce that this configuration belongs to CCmr, that 
ends the proof. □ 

Lemma 6 For any rrii £ M and for any configuration p € CCmi, o-n-V execution of 
starting from p reaches in a finite time a configuration such that: 

\/v € Imi , levely = rrii ^ dist^ = D 

Proof Let rrii be an arbitrary metric value of M and po be an arbitrary configuration of CCmi- 
Let e = pO) Pi) • • • be an execution starting from pQ. 

Note that pQ satisfies IMm^ by construction. Hence, we have G Imi, lively — The closure 
of IMmi (proved in Lemma [2]) ensures us that this property is satisfied in any configuration of e. 

If any process v G Imi satisfies levels -< mi in po, then the result is obvious. Otherwise, we 
define the following variant function. For any configuration pj of e, we denote by Aj the set of 
processes v of Imi such that levels = m,i in pj. Then, we define f{pj) = min{disty}. We will prove 

the result by showing that there exists an integer k such that f{pk) = D. 

First, if a process v joins Aj (that is, v ^ ^j-i but v S Aj), then it takes a distance value 
greater or equals to f{pj-i) + 1 by construction of the protocol. We can deduce that any process 
that joins Aj does not decrease /. Moreover, the construction of the protocol implies that a process 
V such that v € Aj and v S ^j+i can not decrease its distance value in the step pj 1— )> Pj+i- 

Then, consider for a given configuration pj a process v € Aj such that disty = f{pj) < D. We 
claim that v is enabled in pj and that the execution of the enabled rule either increases strictly 
disty or removes v from Aj j^i. We distinguish the following cases: 
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Case 1: levels = met{levelprnt^,w^^prntj 

The fact that v G Irm , the boundedness of Ai and the closure of IM^m imply that prnty € Aj 
(and, hence that levelpmu — '"^i)- Then, by construction of f{pj), we know that distpmu ^ 
f{pj) = disty. Hence, we have disty < distpmt^ + 1 in pj. Then, v is enabled by (.Ri) in pj 
and disti, increases of at least 1 during the step pj i— )• Pj+i if this rule is executed. 

Case 2: levels 7^ 'met{levelprnu,Wy^prnu) 

Assume that v is activated by (-R2) or (-R3) during the step pj 1— )■ Pj+i- If v does not belong 
to Aj^i (if levels / rrii in Pj+i), the claim is satisfied. In the contrary case {v belongs to 
Aj^i), we know that levely = mi in pj+i- The boundedness of ^A and the closure of IMrm 
imply that levelpmu — '"^j ™ Pj+i- We can conclude that disty increases of at least 1 during 
the step Pj I— 7- Pj+i since the new parent of v has a distance greater than f{pj) by construction 
of Aj+i. 

Otherwise, we know that the rule (-f?i) is enabled for v in pj. If this rule is executed during 
the step Pj !->■ /Oj+i, one of the two following sub cases appears. 

Case 2.1: met{levelprnu,w^^prnt^) -< rm in pj. 

Then, v does not belong to Ajj^i by definition. 

Case 2.2: met{levelprnu,Wy^prntJ = m in pj. 

Remind that the closure of IM^. implies then that levelpmu — "^i- construction of 
f{pj), we have distpmty > fiPj) Pj- Then, we can see that disty increases of at least 
1 during the step pj Pj+i- 

In all cases, v is enabled (at least by (.Ri)) in pj and the execution of the enabled rule either 
increases strictly disty or removes v from Aj^i. 

As Irrii is finite and the scheduling is strongly fair, we can deduce that / increases in a finite 
time in any execution starting from pj. By repeating the argument at most D times, we can deduce 
that e contains a configuration such that f{pk) = D, that shows the result. □ 

Lemma 7 For any rrii ^ M and for any configuration p € CCrm such that Mv G Irm •> ^ei^e/^ = rrii ^ 
disty = D, any execution of starting from p reaches in a finite time a configuration such 

that: 

Vf G Irrii , levely -< rui 

Proof Let mj G M be an arbitrary metric value and pQ be a configuration of CCrm such that 
\/v G Irm, l^'^^lv = w-j =^ disty = D. Let e = po, pi, ■ ■ ■ be an arbitrary execution starting from pQ. 

For any configuration pj of e, let us denote Ep. = {v £ Irm\levely = rrii}. By the closure of 
IMrm (which holds by definition in po) established in Lemma [21 we obtain the result if there exists 
a configuration pj of e such that Ep. = 0. 

If there exist some processes v G Irm \ ^po (and hence levely -< rrii) such that prnty G -EpQ 
and met{levelprnty, Wy^pmt^) = rrii in POi then we can observe that these processes are continuously 
enabled by (-f?i). As the scheduling is strongly fair, v activates this rule in a finite time and then, 
levely = rrii and disty = D. In other words, v joins Ep^ for a given integer /. We can conclude that 
there exists an integer k such that the following property {P) holds: for any v G Irm \ -^pc either 
prnty ^ Epi^ or met{levelprnu,Wy^prntJ -< '^i- 
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Then, we prove that, for any integer j > k, we have Ep.^^ C Ep.. For the sake of contradiction, 
assume that there exists an integer j > k and a process v G Irm such that v € Ep.^^ and v ^ Ep. . 
Without loss of generality, assume that j is the smallest integer which performs these properties. 
Let us study the following cases: 

Case 1: v activates (.Ri) during the step pj i-^ Pj+i- 

Note that the property (P) still holds in pj by the construction of j. Hence, we know that 
prnty ^ Ep. in pj. But in this case, we have: levelpmu ^ "^i- The boundedness of Ad implies 
that levely = met{levelprnt^ iWv^pmu) -< "m-i hi pj+i that contradicts the fact that v G Ep.^^. 

Case 2: v activates either (-R2) or (-R3) during the step pj 1— )■ Pj+i- 

That implies v chooses a new parent which has a distance smaller than D — 1 in pj. This 
implies that this new parent does not belongs to Ep.. Then, we have levelpmu ^ ^-j- 
The boundedness of M. implies that levely = met{levelprntv-:'^v,prntv) ^ in Pj+i that 
contradicts the fact that v € Ep.^^. 

In the two cases, our claim is satisfied. In other words, there exists a point of the execution (namely 
Pk) afterwards the set E cannot grow (this implies that, if a process leaves the set -E, it is a definitive 
leaving) . 

Assume now that there exists a step pj ^ pj+i (with j > k) such that a process v G Ep. is 
activated. Observe that the closure of IMrm implies that v can not be activated by the rule (-R3). 
If V activates (.Ri) during this step, then v modifies its level during this step (otherwise, we have 
a contradiction with the fact that levelpmu = ^ dist^ = D). The closure of I Mm. implies 
that V leaves the set E during this step. If v activates (-R2) during this step, then v chooses a new 
parent which has a distance smaller than D — 1 m. pj. This implies that this new parent does not 
belongs to Ep.. Then, we have levelpmty -< i^i- The boundedness of M. implies that levels -< mi 
in Pj+i- In other words, if a process of Ep. is activated during the step pj ^ Pj+i, then it satisfies 

Finally, observe that the construction of the protocol and the construction of the bound D 
ensures us that any process v G Irm such that dist^ = D is activated in a finite time. In conclusion, 
we obtain that there exists an integer j such that Ep. = 0, that implies the result. □ 

Lemma 8 For any rrii ^ M and for any configuration p € CCrm, o,ny execution of SSM.AX 
starting from p reaches in a finite time a configuration p' such that IMrm^^ holds. 

Proof This result is a direct consequence of Lemmas [6] and [71 □ 

Lemma 9 For any rui £ M and for any configuration p € CCma o-n-y execution of SSA4AX 
starting from p reaches in a finite time a configuration of HOrm-i^i • 

Proof Let mi be a metric value of M and p be an arbitrary configuration of CCm-. We know by 
Lemma [8] that any execution starting from p reaches in a finite time a configuration p' such that 
IMm^^i holds. By closure of IMm^^^ and of CCrm (established respectively in Lemma [2] and [3]) , 
we know that any configuration of any execution starting from p' belongs to £Cm,. and satisfies 

We know that Vrm 7^ since r G Vm^ for any i > 0. Remind that Vmi+i is connected by the 
boundedness of M.. Then, we know that there exists at least one process p of Pm^+i which has a 
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neighbor q in V^, such that fi{p,r) = met{iJ,{q,r),Wp^q). Moreover, Lemma [3] ensures us that any 
process of Vrm takes no step in any executions starting from p'. 

Observe that, for any configuration of an execution starting from p' , if any process of Prm+i is 
not enabled, then all processes v of Prm+i satisfy spec{v). Assume now that there exists an execution 
e starting from p' in which some processes of -Pm^+i take infinitely many steps. By construction, 
at least one of these processes (note it v) has a neighbor u such that fJ-{v,r) = met{p{u,r),Wy^u) 
which takes only a finite number of steps in e (recall the construction of p) . After u takes its last 
step of e, we can observe that levelu = p{u, r) and distu < D — 1 (otherwise, u is activated in a 
finite time that contradicts its construction). 

As V can execute consequently (-Ri) only a finite number of times (since the incrementation of 
disty is bounded by D), we can deduce that v executes (-R2) or (-R3) infinitely often. In both cases, 
u belongs to the set which is the parameter of function choose (remind that IMrm^i is satisfied and 
that u has the better possible metric among v^s neighbors). By the construction of this function, 
we can deduce that prnt^ = n in a finite time in e. Then, the construction of u implies that v is 
never enabled in the sequel of e. This is contradictory with the construction of e. 

Consequently, any execution starting from p' reaches in a finite time a configuration such that 
all processes of Prm+i are not enabled. We can deduce that this configuration belongs to CCrm+i, 
that ends the proof. □ 

Lemma 10 Starting from any configuration, any execution of SSA4AX reaches a configuration 
of CC in a finite time. 

Proof Let p be an arbitrary configuration. We know by Lemma [5] that any execution starting 
from p reaches in a finite time a configuration of CCmr = ^Cmo- Then, we can apply at most k 
times the result of Lemma [9] to obtain that any execution starting from p reaches in a finite time 
a configuration of CCm^ = £C, that proves the result. □ 

Theorem 11 SSMAX is a {SB,n — l)-TA-strictly stabilizing protocol for spec. 

Proof This result is a direct consequence of Lemmas H] and [TOl □ 



4.3 Proof of the (t,S^,n — 1)-TA Strong Stabilization for spec 

Let be Eb = Sb\S]^ {i.e. Eb is the set of process v such that p{v,r) = max{p{v,b)}). Note that 

f)6-B 

the subsytem induced by Eb may have several connected components. In the following, we use the 
following notations: Eb = {Ej^, . . . , E^} where each E^^ (z G {0, . . . , i}) is a subset of Eb inducing 
a maximal connected component, 5(-E^) (z S {0, . . . is the diameter of the subsystem induced 
by -E^, and 5 = max {5{E^^)}. When a and b are two integers, we define the following function: 



Lemma 11 If p is a configuration of CC, then any process v € Eb is activated at mostIl{k,6)AD 
times in any execution starting from p. 

Proof Let p he a configuration of CC and e be an execution starting from p. Let p be a process 
of (i € {0, . . . , i}) such that there exists a neighbor q which satisfies q G V \ Sb and p{p, r) = 
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met{ii{q, r),Wp^q) (such a process exists by construction of -E^). We are going to prove by induction 
on d the following property: 

(Pd): if f is a process of E^^ such that d^i^{p,v) = d (where d^i^ denotes the distance in the 
subsystem induced by -E^), then v executes at most Il{k,d)/S.D actions in e. 

Initialization: d = 0. 

This implies that v = p. Then, by construction, there exists a neighbor q which satisfies 
q & V \ Sb and fi{p,r) = met{fi{q,r),Wp^q). As p € CC, Lemma H] ensures us that levelg = 
^{q, r) and distq < D — 1 in any configuration of e. Then, the boundedness of M implies 
that q belongs to the set which is parameter to the macro choose at any execution of rules 
{R2) or (-R3) by p. Consequently, p executes at most A times rules (-R2) and (-R3) in e 
before choosing q as its parent. Moreover, note that p can execute rule (.Ri) at most D times 
between two consecutive executions of rules (-R2) and (-R3) (because (.Ri) only increases 
distp which is bounded by D). Consequently, p executes at most AD actions before choosing 
q as its parent. 

By Lemma U we know that q takes no action in e. Once p chooses q as its parent, its state 
is consistent with the one of q (by construction of rules (-R2) and (-R3)). Hence, p is never 
enabled after choosing q as its parent. Consequently, we obtain that p takes at most AD 
actions in e, that proves (Po)- 

Induction: d > and (P^— 1) is true. 

Let f be a process of E^^ such that d^i^{p,v) = d. By construction, there exists a neighbor 
n of u which belongs to E^^ such that d^ {p,u) = d — 1. By (Pd_i), we know that u takes 
at most n(fe, d — 1) AD actions in e. The /c-boundedness of the daemon allows us to conclude 
that V takes at most k x n(fe, d — 1)AD actions before the last action of u. Then, a similar 
reasoning to the one of the initialization part allows us to say that v takes at most AD actions 
after the last action of u (note that the fact that |M(5')| > 2, the construction of D and the 
management of dist variables imply that distu < D — 1 after the last step oiu). In conclusion, 
V takes at most k x Il{k, d — 1)AD + AD = Il{k, d)AD actions in e, that proves (Pd). 

As 6 denotes the maximal diameter of connected components of the subsystem induced by Eb, 
then we know that d0^(p,v) < 6 for any process v in E^^. For any process v of Eb, there exists 

i € {0, . . . ,£} such that v G E^^. We can deduce that any process of Eb takes at most Il{k, 6) AD 
actions in e, that implies the result. □ 

Lemma 12 If p is a configuration of CC and v is a process such that v € Eb, then for any execution 
e starting from p either 

1. there exists a configuration p' of e such that spec{v) is always satisfied after p' , or 

2. V is activated in e. 

Proof Let p be a configuration of CC and v he a process such that v G Eb- By contradiction, 
assume that there exists an execution starting from p such that [i) spec{v) is infinitely often false 
in e and {ii) v is never activated in e. 
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For any configuration p, let us denote by Pv{p) = {vq = v,vi = prnty,V2 = prnty-^, . . . ,Vk = 
prntyi^_-^,Py = prntyj,) the maximal sequence of processes following pointers prnt (maximal means 
here that either prntp^ = -L ov py is the first process such that there py = Vi for some i € {0, . . . , k}). 

Let us study the following cases: 

Case 1: prnty G V \ Sb '^^ P- 

Since p G CC, prnty satisfies spec{prnty) in p and in any execution starting from p (by 
Lemma H]). Hence, prnty is never activated in e. If v does not satisfy spec{v) in p, then we 
have levely ^ met{levelprntvy'Wv,prnu) or disty / in p. Then, v is continuously enabled in e 
and we have a contradiction between assumption (ii) and the strong fairness of the scheduling. 
This implies that v satisfies spec{v) in p. The fact that prnty is never activated in e and that 
the state of v is consistent with the one of prnty ensures us that v is never enabled in any 
execution starting from p. Hence, spec{v) remains true in any execution starting from p. This 
contradicts the assumption (i) on e. 

Case 2: prnty ^ 1/ \ in />. 

By the assumption (i) on e, we can deduce that there exists infinitely many configurations p' 
such that a process of Py{p') is enabled (since spec{v) is false only when the state of a process 
of Py{p') is not consistent with the one of its parent that made it enabled). By construction, 
the length of Py{p') is finite for any configuration p' and there exists only a finite number of 
processes in the system. Consequently, there exists at least one process which is infinitely 
often enabled in e. Since the scheduler is strongly fair, we can conclude that there exists at 
least one process which is infinitely often activated in e. 

Let Ae be the set of processes which are infinitely often activated in e. Note that v ^ A^. 
by assumption [ii) on e. Let e' = . . . be the suffix of e which contains only activations of 
processes of A^.. Let p be the first process of Py{p') which belongs to A^, {p exists since at 
least one process of Py is enabled when spec{v) is false). By construction, the prefix of Py{p") 
from u to p in any configuration p" of e remains the same as the one of Py{p'). Let p' be the 
process such that prntpi = p in e' {p' exists since v ^ p implies that the prefix of Pv{p') from 
V to p counts at least two processes) . As p is infinitely often activated and as any activation 
of p modifies the value of levelp or of distp (at least one of these two variables takes at least 
two different values in e'), we can deduce that p' is infinitely often enabled in e' (since the 
value of levelp' is constant by construction of e' and p). Since the scheduler is strongly fair, 
p' is activated in a finite time in e', that contradicts the construction of p. 

In the two cases, we obtain a contradiction with the construction of e, that proves the result. □ 
Let CC* be the following set of configurations: 

CC* = {p e C \{p is S'^-legitimate for spec) A {IMm^{p) = true)} 

Note that, as S*^ C 5^, we can deduce that CC* C CC. Hence, properties of Lemmas [TT] and 
[12] also apply to configurations of CC* . 

Lemma 13 Any configuration of CC* is {nIl{k,5)AD,Il{k,6)AD, S'^jn — 1)-TA time contained 
for spec. 
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Proof Let p be a configuration of CC* . As S*^ Q Sb, we know by Lemma S] that any process v of 
V \ Sb satisfies spec{v) and takes no action in any execution starting from p. 

Let f be a process of Eb- By Lemmas [TT] and [T2l we know that v takes at most Il{k,6)AD 
actions in any execution starting from p. Moreover, we know that v satisfies spec{v) after its last 
action (otherwise, we obtain a contradiction between the two lemmas). Hence, any process of Eb 
takes at most Il{k,5)AD actions and then, there are at most nIl{k,6)AD S'lj-TA-disruptions in 
any execution starting from p (since \Eb\ < n). 

By definition of a TA time contained configuration, we obtain the result. □ 

Lemma 14 Starting from any configuration, any execution of SSA4AX reaches a configuration 
of CC* in a finite time. 

Proof Let p be an arbitrary configuration. We know by Lemma [10] that any execution starting 
from p reaches in a finite time a configuration p' of CC. 

Let V he a process of Eb. By Lemmas 1111 and I12| we know that v takes at most Il{k,6)AD 
actions in any execution starting from p' . Moreover, we know that v satisfies spec{v) after its 
last action (otherwise, we obtain a contradiction between the two lemmas). This implies that any 
execution starting from p' reaches a configuration p" such that any process v of Eb satisfies spec{v). 
It is easy to see that p" G CC*, that ends the proof. □ 

Theorem 12 is a {nll{k, 6) AD, S^,n — 1)-TA strongly stabilizing protocol for spec. 

Proof This result is a direct consequence of Lemmas [13] and [T3J □ 

5 Concluding Remarks 

We discuss now about the relationship between TA strong and strong stabilization on maximum 
metric tree construction. We characterize by a necessary and sufficient condition the set of assigned 
metric that allow strong stabilization. Indeed, properties on the metric itself are not sufficient to 
conclude on the possibility of strong stabilization: we must know information about the considered 
system (assignation of the metric). 

Informally, it is possible to construct a maximum metric tree in a strongly stabilizing way if 
and only if the considered metric is strongly maximizable and if the desired containment radius is 
sufficiently large. More formally. 

Theorem 13 Given an assigned metric AM. = {M,W,mr,met, ~<,wf) over a system S, there 
exists a {t,c,n — \)-strongly stabilizing protocol for maximum metric spanning tree construction 
with a finite t if and only if: 



Proof We split this proof into two parts: 

1) Proof of the "if" part: Denote {M,W,met,mr, ~<) by M and assume that is a strongly 
maximizable metric and that c > max{0, \M(S) \ — 2}. We distinguish the following cases: 



{M,W,met,mr, ~<) is a strongly maximizable metric, and 
c > m,ax{0, \M{S) \ - 2} 
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Case 1: \M{S)\ = 1 (and hence c > 0). 

Denote by m the metric value such that M[S) = {m\. For any correct process u, we have 
li{v,r) = min^{fi{v,b)} = m. We can deduce that it is equivalent to construct a maximum 

b&B 

metric spanning tree for M and for J\fC over this system. By Theorem HI we know that there 
exists a (t,0,n — l)-strongly stabilizing protocol for this problem with a finite t, that proves 
the result. 

Case 2: |M(5)| > 2 (and hence c > \M{S) \ - 2). 

By Theorem 1121 we know that there exists a {nll{k, 5) AD, 5^, n — l)-TA-strongly stabilizing 
protocol V for maximum metric spanning tree construction in this case. Denote by T the 
only fixed point of Ai. Let u be a correct process such that v € S*^. 

By definition of S"^, we have: fJ,{v,r) -< fi{v,b) for at least one Byzantine process b. As ^A 
is strictly decreasing and has only one fixed point, we can deduce that T ^ fi{v, r) and then 

Assume that d{v,b) > c > |M(5)| — 2. As M is strictly decreasing, has only one fixed point 
T, and M has jM(S')| distinct metric values over S, we can conclude that fj.{v,b) = T. This 
contradiction allows us to conclude that there exists a process b such that d{v, b) < c for any 
correct process which belongs to S"^. 

In other words, 5^ = < w € V\min{d{v,b)} < c > and V is in fact a {nIl{k,S)AD,c,n — 1)- 

l beB J 

strongly stabilizing protocol, that proves the result with t = nll{k, 6) AD. 

2) Proof of the "only if" part: This result is a direct consequence of Theorem [8] when we 
observe that |M(5')| < \M\ by definition. □ 
We can now summarize all results about self-stabilizing maximum metric tree construction in 
presence of Byzantine faults with the above table. Note that results provided in this paper fill all 
gaps pointed out in related works. 





M — (M, W, mr, met, is a 
maximizable metric 


(c, /)-strict stabilization 
(for any c and /) 


Impossible 

m) 


{t, c, /)-strong stabilization 
(for < / < n — 1 and a finite t) 


1 is a strongly maximizable metric, and 
Possible < 

[c > max{0, \M{S)\ - 2} 

(Theorem [T3l) 


{Ab, /)-TA strict stabilization 
(for any / and As J! Sb) 


Impossible 
(0) 


(Ss,/)-TA strict stabilization 
(for < / < n - 1) 


Possible 
(ig and Theorem [TT|) 


{t,AB, /)-TA strong stabilization 
(for any / and Ab 'y: Sb) 


Impossible 
(Theorem [111 


(t, Sb, /)-TA strong stabilization 
(for < / < n — 1 and a finite t) 


Possible 
(Theorem [T2l) 



To conclude about results presented in this paper, we must bring some precisions about spec- 
ifications. We chose to work with a specification of the problem that consider the dist variable 
as a 0-variable. This choice may appear strong but it seems us necessary to keep the consistency 
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of results. Indeed, impossibility results of Section [3] can be proved with a weaker specification 
that does not consider the dist variable as a 0-variable (see [8]). On the other hand, we need the 
stronger specification to bound the number of disruptions of the proposed protocol. We postulate 
that our protocol is also TA strongly stabilizing with the weaker specification but we do no succeed 
to bound exactly the number of disruptions. 

The following questions are still open. Is it possible to bound the number of disruptions with 
the weaker specification? Is it possible to perform TA strong stabilization with a weaker daemon? 
Is it possible to decrease the number of disruptions without loose the optimality of the containment 
area? 
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